The SOLVE-IT knowledge base of digital forensics techniques continues to evolve. This is our second release since the DFRWS EU 2025 launch: SOLVE-IT Alpha Release v0.2025.09 (September 2025). A summary of the updates are provided below, including
- Freely available slides & class exercises to help teach weaknesses & mitigations
- Model Context Protocol (MCP) server providing LLM access to the SOLVE-IT
- A new Python library providing programmatic access to SOLVE-IT
- Overhaul of keyword searching weaknesses and mitigations to capture the complexity
- A new guidance document: “Contributing to SOLVE-IT – A Guide for Researchers”
Outreach and Education
- The first SOLVE-IT workshop was held at DFRWS USA 2025 in Chicago exploring the knowledge base and its use, including programmatic integration with digital forensic tools and usage by AI applications via the MCP server.
- We now have a dedicated SOLVE-IT education repository. It contains presentations, but also a series of freely available class exercises based on SOLVE-IT that can be given to students.
- A specific document “Contribute to SOLVE-IT – A Guide for Researchers” has been produced to help researchers index their work in terms of SOLVE-IT techniques.
Tooling and Code updates
- A new SOLVE-IT Python library is available that provides programmatic access to the knowledge base.
- There is a new MCP server built that allows LLM access to SOLVE-IT to assist with discussions and use cases related to digital forensics. (available at: https://github.com/CKE-Proto/solve_it_mcp)
- The output of generate_excel_from_kb.py has been enhanced to make use of Excel notes feature, allowing easier viewing of the details of the mitigations for specific weaknesses without overloading the view.
Content updates
A summary of the progress we are making is in the table below.
| Release | Objectives | Techniques indexed | Techniques with detailed content | Weaknesses | Mitigations |
|---|---|---|---|---|---|
| 2024-12 (original paper) | 17 | 104 | 33 (32%) | 156 | 108 |
| 2025-04 (DFRWS EU release) | 17 | 107 | 37 (35%) | 171 | 125 |
| 2025-07 release | 17 | 117 | 45 (38%) | 188 | 137 |
| 2025-09 release | 19 | 134 | 57 (43%) | 236 | 181 |
There are many more recorded in the issue tracker waiting for further details and implementation.
The top level objectives have been updated with a style guide for consistency, including the addition of ‘Detect anti-forensics and other anomalies’, incorporating placeholder techniques for: T1128: Search for indicators of malware, T1129: Search for indicators of clock tampering, T1130: Search for indicators of encrypted data, T1131: Search for indicators of trail obfuscation, and T1132: Search for indicators of artifact wiping.
A selection of techniques that have been added include:
- T1120: Automated artifact extraction
- T1119: Automatically scan for artifact changes caused by app updates
(both based on an upcoming DFRWS APAC 2025 paper)
- T1076: Log file examination
- T1133: AI companion app examination
- T1049 Keyword searching has had an overhaul to capture the complexity of this technique. It is the first technique making use of the sub-technique feature. This now includes:
- T1125 Keyword search (live)
- T1126 Keyword search (live) (physical)
- T1127 Keyword search (live) (logical)
- T1121 Keyword indexing
- T1124 Keyword search (indexed)
- T1122 Keyword search (case-type wordlists)
- T1123 Keyword search (case-specific wordlists)
We hope that the community contributions will continue to increase and we look forward to writing the update for the next release.
Chris Hargreaves & Eoghan Casey